ABOUT SYMANTEC

Press Release

LinkedIn Facebook Twitter RSS

Symantec Rates Sadmind/IIS Worm a One In Severity - Risk Impact of Security Vulnerability Resulting From Worm Exploit Rated as High

Symantec's Intrusion Prevention, Vulnerability Assessment and AntiVirus Solutions Detect and Prevent Sadmind/IIS Worm, Protecting Critical E-mail and Web Servers

CUPERTINO AND MOUNTAIN VIEW, Calif. - May 14, 2001 Symantec Corp. (Nasdaq: SYMC) today announced its award-winning security solutions protect customers against a highly sophisticated hacking effort that uses a worm to exploit a known vulnerability. Symantec's NetProwler, Enterprise Security Manager (ESM) and Norton AntiVirus provide detection for and protection against the sadmind/IIS worm.

"What is interesting about this attack is that the worm itself is not the main threat, it is the vulnerability exploited by that worm that can really cause significant damage," said Vincent Weafer, senior director, Symantec AntiVirus Research Center (SARC). "Unpatched operating system holes are one of the most common ways to break into an organization's network - and using a worm to break into the system is becoming more and more common."

Sadmind/IIS is the latest worm designed to attack unpatched versions of Microsoft Internet Information Server (IIS) versions 4.0 and 5.0 Web servers and unpatched versions of Solaris 7 or lower. The Sadmind/IIS worm exploits a buffer overflow vulnerability in the Sadmind program used to remotely control system administration on Solaris operating systems. Once the Solaris system is compromised, the worm searches for Microsoft systems running IIS Web server v. 4.0 or v. 5.0, where it defaces the targeted Web page. The worm further scans to identify other Solaris systems to compromise.

Exploiting server vulnerabilities can result in hackers gaining remote administrator access. This level of access can enable any level of hacker to wreak havoc on systems such as Solaris and IIS, which are commonly used as the internal backbone for an organization's e-mail and Web servers.

"The Sadmind/IIS worm takes advantage of a two-year old security hole in Solaris, which has since been fixed," Weafer said. "The majority of hacking attempts could be thwarted if companies made sure they kept their systems up-to-date and enforced a sound security policy. ESM, NetProwler and Norton AntiVirus ensure corporations are alerted to and protected against both the Solaris and IIS exploits, keeping Symantec's customers ahead of this latest vulnerability."

Symantec's award-winning intrusion prevention, vulnerability assessment and anti-virus solutions, NetProwler, Enterprise Security Manager (ESM) and Norton AntiVirus, work in concert to detect and protect against the Sadmind/IIS worm and associated exploits. Symantec currently offers an ESM patch and registry templates, as well as NetProwler Security Updates and Norton AntiVirus signatures to protect against the Sadmind/IIS worm. These can be downloaded from http://www.symantec.com/avcenter/security/Content/2001_05_11.html. Additionally, hot fixes can be downloaded directly from Microsoft's TechNet Security page, at http://www.microsoft.com/technet/security/bulletin/MS01-023.asp or from Sun Microsystems from the Sun Security Bulletin #00191: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba.

Symantec Enterprise Solutions
Symantec customers worldwide utilize the award-winning ESM to automatically check, manage and enforce sound security practices across the enterprise, including workstations, file servers, Web servers, and other key Internet access points worldwide. Through ESM's sophisticated file monitoring and host-based assessment capabilities, customers can proactively manage and detect the Sadmind/IIS worm and many other threats as part of a comprehensive security policy. ESM's startup FileWatch module detects running services in violation of an organization's security policy, and the password strength module detects inadequate passwords. The FileWatch and file attributes modules of ESM track changes and security settings in critical files that are exploited in the majority of Internet attacks to enable the customer to quickly respond and rectify potential security threats.

NetProwler, Symantec's network intrusion detection system, can identify and terminate malicious activity on a network in real time. NetProwler's Security Update 5 (SU5) can detect attacks to the Windows 2000 IIS 5.0 Server and SU6 detects attack attempts to the Sun Solaris operating system via the Sadmind worm vulnerability. Both SU's are downloaded using its auto update feature. NetProwler streamlines the process of implementing, maintaining and enhancing real-time network intrusion detection for network managers grappling with changing, open networks and the stringent security requirements of e-business. While some other IDS solutions require a system shutdown during updates, NetProwler's active updating enables companies to securely update new signatures in real-time with no interruption of system defenses.

Additionally, Norton AntiVirus definitions are available to detect the Sadmind/IIS worm. Symantec's Norton AntiVirus Corporate Edition provides enterprise-class protection at the desktop and file/print server tiers of the corporate network. The release of Symantec's Norton AntiVirus Corporate Edition 7.5 introduces customers to the Digital Immune System, a Web-based closed-loop automation technology designed to quickly and automatically handle flood conditions caused by today's rapidly spreading Internet-borne viruses.

Symantec Enterprise Security
ESM, NetProwler and Norton AntiVirus are key components of Symantec Enterprise Security that provides any size organization with the technology, global response and services necessary to manage its information security. Symantec's comprehensive solution offers best-of-breed products to protect gateways, servers, and clients with virus protection, firewall security, intrusion detection and vulnerability management. Customers benefit from Symantec's global network of researchers that provide customers with around-the-clock, immediate response to any new security-related attacks. Symantec Enterprise Security customers are also supported by Symantec Security Services, which offers security consulting, education, and implementation as well as managed security services. For more information, please visit Symantec's enterprise Web site at http://enterprisesecurity.symantec.com

About Symantec
Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, vulnerability assessment, intrusion prevention, Internet content and e-mail filtering, remote management technologies and security services to enterprises around the world. Symantec's Norton brand of consumer security products leads the market in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit our Web site at www.symantec.com.

Symantec, the Symantec logo, AXENT, AXENT Technologies, and the AXENT logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation or its subsidiaries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

@Symantec